Category Archives: Ownership

It’s not what you don’t say

“Hiring Hazard: Social Media,” The Wall Street Journal, August 6, 2018 B1.  What happens when you hire (or don’t hire) someone with a “history” of social media postings, some of which may now (or then, or both) be viewed as objectionable?

An editorial writer for a major newspaper is found to have written some racist comments.  A director gets booted from Disney for old tweets. Major league ball players get shamed.

Do the Europeans have it right?  Do you have a right to be forgotten?  Or are you stuck with what you said or wrote years ago, provided that it is preserved electronically?  You did say it, in preservable format.

Is this Governance (or self-governance)?  O the nature of Information?  Or Compliance with ever-evolving social mores?

Advertisements

Leave a comment

Filed under Access, Accuracy, Communications, Duty, Duty of Care, Governance, Ownership, Privacy

Gee, what could go wrong?

“Facebook Asks Banks for Customer Data,” The Wall Street Journal, August 7, 2018 A1. “[T]o offer new services to users,” Facebook asks banks for “detailed financial information about their customers.”

I can see what’s in it for Facebook, and maybe for the banks.  But isn’t this your information?  Shouldn’t you have some control what the banks do with it?  Are you comfortable with the controls the banks and Facebook will place on this information?  It might be convenient for you, but at what risk?

Do we remember Cambridge Analytica?  Will Facebook try to do this in Europe?

To whom do you complain?  Your elected representative?  Your bank?  The state or federal regulators?

Leave a comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, Investor relations, IT, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, Uncategorized, Who is in charge?

What you have, where you have it

A common starting point to information governance projects is to determine what information you have and where you have it.  Then you can start to manage it. But what happens if you don’t know what you have nor where you have it?

“Facebook Struggles to Find User Data,” The Wall Street Journal, June 28, 2018 B1. “The company can’t track where much of the [user] data went after it left the platform or figure out where is it now.”

A lot of the information is or was with app developers that are now out of business.  What happened to your/Facebook’s/their data?

Sure is easier to figure this out going forward than it is to figure out what happened between 2007 and 2015.  Especially if disclosure of some of that information is blocked by the government in far-off lands.  Or if the app developers don’t fancy having Facebook root through their servers and discovering their business secrets.  Or if Facebook doesn’t have a contractual right to get this information.

Sure would be easier if they’d had the proper controls in place at the time.

Leave a comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Ownership, Ownership, Privacy, Protect assets, Security, Third parties, Vendors

That clears that up

“Court Ruling Boosts Phone Privacy,” The Wall Street Journal, June 23, 2018 A1.  The Supremes’ rule that, in order to get your cell phone’s location data from your service provider, the government needs a warrant.

This raises several interesting Information-related points.  First, who owns that information?  Second, who (beyond the “owner”) has possession of that information? Third, who does the warrant get served on – the third party (also) in possession of this data, or the person who owns it and who doesn’t possess this data, and who in fact seldom knows that this data exists? Fourth, what else, beyond cell phone location data, is within this special zone of privacy, both today and in the future?  Fifth, what exactly are the exceptions?  Are they limited to bomb threats and shooters and child abductors?  Or is that somewhat flexible, too?  Does this hinge on “reasonableness,” which is somewhat loosy-goosey except in retrospect?  Does this apply to your Metro card?  Or your PayPal account?

And, then, as a Governance point, how does one justify this expansion of protection to things that are not “their persons, houses, papers, and effects …”?  Expanding a right to privacy that does not exist in the express language of the Constitution.

I haven’t read the decision and the dissents, just some news reports.  But didn’t a statute passed by Congress allow the government to access your data when stored with third parties? Is that statute (the Stored Communications Act) now valid or invalid?

Leave a comment

Filed under Access, Compliance, Duty, Governance, Government, Information, Ownership, Ownership, Privacy

Verrry interesting

“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10.  Companies aren’t buying as much privacy insurance as people thought.

Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased.  Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls.  Insurance is a mitigation in case your controls aren’t totally effective.

Are these companies doing the same with other risks to other assets?  Or is you private data somehow different?

Leave a comment

Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties

Poster boy for Information Governance

Years ago, while teaching a course to MBA students at Rice University, I used the Target credit card breach as a case study.  It touched a lot of bases.  Now we have a better one.

While there have been a lot of information governance-related stories in the news over the past two years, including Equifax and Facebook and VW and Wells Fargo, my nominee for the one name associated with the most significant teaching example in information governance and compliance is the former FBI Director, James Comey.

First, he gave us The Day That Information Governance Died, with his July 5, 2016 pronouncement that, notwithstanding her clear violations of several applicable legal laws dealing with the handling of confidential or secret information (and the destruction of information subject to a subpoena), Secretary Hillary Clinton’s use (and wiping) of a private server to store government email was not going to be prosecuted.  Such a pronouncement deviated “‘from well-established Department policies'” that the FBI does not comment about  ongoing criminal investigations.

Then he wrote a memo ostensibly commemorating a meeting he had with his boss on government business on a government computer (while in a government vehicle) during the work day, and declared that that was his personal correspondence that he could (and did) distribute as he pleased.

And now we learn that he conducted government business over his own private gmail account {that information does not appear in the WSJ article – Ed.}, and actively avoid his boss’ oversight (and his bosses failed to adequately supervise him).  “Report Blasts FBI Agents, Comey Over Clinton Probe,” The Wall Street Journal, June 15, 2018 A1. Inspector General releases his report on the Clinton Investigation.

Recap:

  • Violations of law are not enforced
  • Evidence is destroyed notwithstanding a subpoena
  • Senior employees ignore long-standing policy
  • Senior employees treat documents prepared by them in the course of business as their personal information
  • Senior employees use private email accounts to transact government business
  • Employees hide things from their bosses
  • Bosses failed to adequately supervise their reports

And this is at the FBI, by a lawyer.

Does anyone wonder why we have a hard time getting traction on information governance initiatives?  Certainly an argument for an Information Governance case study of just the Clinton email investigation and its aftermath.  Not sure you could cover it all in one semester, at both law schools and business schools.

 

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Culture, Discovery, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, Lawyers, Managers, Oversight, Ownership, Ownership, Policy, Requirements, Supervision, Who is in charge?

A handful for May Day

A departure from the one-story-one-post approach.

  1. “Israel Targets Iran Accord,” The Wall Street Journal, May 1, 2018 A1. Israel releases Iranian documents about a nuclear weapons program found in an abandoned warehouse. At least two themes: (a) What does information mean? Did Iran lie during negotiations? (b) Do you destroy documents/information that are/is no longer useful to you?  What does it say when you don’t?
  2. “‘Fake News’ Law Snares an Offender,” The Wall Street Journal, May 1, 2018 A16. A visitor to Malaysia convicted and sentenced for publishing “fake news” about how quickly/slowly emergency services responded to a shooting. Interesting that the first conviction under the new law was of a foreigner.
  3. “Banks Draw Bead on Guns,” The Wall Street Journal, May 1, 2018 B1. Banks and credit card companies discuss tracking your purchases of guns.  What will they do with that information? Is there other information they can deduce from your purchases that someone would like to track? Would your health insurer/doctor like to track your food and alcohol purchases?  Whose information is that, anyway?
  4. “Guilty Verdict in Autonomy Case,” The Wall Street Journal, May 1, B2.  Former CFO of Autonomy convicted of fraud in connection with the sale of Autonomy to HP for $11 billion in 2011.  This was not some lower-level accountant accused of misstating aspects of a tax-motivated deal. Instead, the fraud overstated Autonomy’s revenue and generally misstating financial results.  The former CEO has also been sued in the UK for damages.
  5. “Facebook Shares the Shared,” The Wall Street Journal, May 1, 2018 B5. Now you can download any of 25 categories of the information that Facebook keeps on you.  Your search history.  When you liked or didn’t like something.  Which and how many advertisers have your contact information.  How many categories does Facebook have?  We don’t know.

Leave a comment

Filed under Access, Accuracy, Analytics, Communications, Compliance, Compliance (General), Controls, Corporation, Data quality, Definition, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Oversight, Ownership, Ownership, Privacy, Protect assets, Protect information assets, Technology, To report, Value